Organizations need to be aware of the threats to their mission-critical data and take urgent steps to protect their data assets, according to an expert panel at Infosecurity Europe.
Businesses and public sector bodies both face growing risks from nation state actors, criminal groups and insiders.
These actors are increasingly targeting enterprise data, both because of its value and because it often lacks appropriate levels of protection.
The risk to data is even greater as organizations move to the cloud and software as a service (SaaS) for much of their technology. This can mean losing the granular controls of an in-house data center. However, firms are still responsible for the data they control, regardless of where it is stored.
Much of this reflects changes in organizations’ operating environments, which in turn reflect wider changes in the economy, Sean Turner, CISO at Twinstate told an audience at Infosecurity Europe 2024.
“What is the modern data crisis? It's a hybrid working, post pandemic, new Cold War challenge, with organized crime,” Turner explained.
“My staff probably aren't in an office. Or if they are, they've just been forced back to the office.” This, he said, makes protecting data both more complicated and more urgent.
Change is also being driven by the technology platforms used by almost all large organizations, with a move away from on-premises IT.
Read more about security in the cloud: NSA Launches Top 10 Cloud Security Mitigation Strategies
“One of the largest problems in today’s world is that everything is on different SaaS providers and different cloud service providers,” said Owen John, head of cyber architecture at Imperial Brands.
“Having a handle on where your data are is difficult. But you can’t secure it if you don’t know where it is.”
Modern businesses want to move quickly to develop new products and services. Access to data is essential for this, but the result can be security compromises.
“The heads of business want to go as fast as possible,” said James Mckinlay, head of information security at Skuuudle.com. “They don’t worry enough about what might go wrong.”
For IT and security teams, the answer might lie in revisiting tried and tested techniques, such as data classification. Helping the business to organize data by its importance and sensitivity is vital to build an effective data security model.
According to the panelists, data classification might be less in the spotlight than it was; certainly, the task is harder with data stored in SaaS applications and the cloud. Making it mandatory to classify documents is one option, but the advice is to run smaller-scale pilots first.
Firms should also look at security by design and at empowering devops teams to build in security themselves, perhaps from a list of approved options.
Simon Goldsmith, enterprise security and platform lead at OVO, suggested that providing the business with guiderails for managing data could be more effective than complex rules.
“You can’t look to security to provide all the answers,” Goldsmith concluded.